Here are the instructions for using Linux tcpdump with Sniffer10G.
-
verify that your tcpdump has a dynamically linked libpcap:
%ldd `which tcpdump` | grep pcap
If your tcpdump statically links libpcap, then you'll see no output. Otherwise, you'll see something like:
libpcap.so.0.9.4 => /usr/lib64/libpcap.so.0.9.4 (0x00000034c1400000)
If you saw no output above, continue to step 2 (building a new tcpdump)
If you saw the output above, skip to step 3: (running tcpdump with LD_LIBRARY_PATH set).
-
Building a new tcpdump:
-
make sure you have libpcap-devel installed
% %sudo yum install libpcap-devel
-
download and build tcpdump
% wget http://www.tcpdump.org/release/tcpdump-4.1.1.tar.gz %tar zxf tcpdump-4.1.1.tar.gz %cd tcpdump-4.1.1/ % ./configure % make
-
-
Running tcpdump with LD_LIBRARY_PATH set:
-
determine what libpcap version your tcpdump expects:
%ldd tcpdump | grep pcap libpcap.so.0.9.4 => /usr/lib64/libpcap.so.0.9.4 (0x00000034c1400000)
-
make a symlink to that version in /opt/snf/lib. Assuming your version is 0.9.4:
%sudo ln -s /opt/snf/lib/libpcap.so /opt/snf/lib/libpcap.so.0.9.4
-
set LD_LIBRARY_PATH to prefer the sniffer10g-compatible libpcap:
csh/tcsh:
% setenv LD_LIBRARY_PATH /opt/snf/lib
bash:
$ export LD_LIBRARY_PATH=/opt/snf/lib
-
set SNF_DEBUG_MASK=3 to know if incoming packets are going through Sniffer10G
csh/tcsh:
% setenv SNF_DEBUG_MASK 3
bash:
$ export SNF_DEBUG_MASK=3
-
run tcpdump on the snf0 interface:
% tcpdump -ni snf0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on snf0, link-type EN10MB (Ethernet), capture size 65535 bytes 09:13:10.065406 IP 192.168.1.32 > 192.168.1.250: ICMP echo request, id 21865, seq 7, length 64 09:13:11.065142 IP 192.168.1.32 > 192.168.1.250: ICMP echo request, id 21865, seq 8, length 64 09:13:12.065889 IP 192.168.1.32 > 192.168.1.250: ICMP echo request, id 21865, seq 9, length 64 09:13:13.065632 IP 192.168.1.32 > 192.168.1.250: ICMP echo request, id 21865, seq 10, length 64 09:13:14.065374 IP 192.168.1.32 > 192.168.1.250: ICMP echo request, id 21865, seq 11, length 64 5 packets captured 5 packets received by filter 0 packets dropped by kernel
Caveat:
Please be aware that while Sniffer10G can support up to 14.8Mpps, tcpdump will print output to standard out, which will severely limit achievable packet rates.
To see what packet rates Sniffer10G can achieve, the simplest way is to run the following test program: /opt/snf/bin/tests/snf_simple_recv.
Please also read: Using the Sniffer10G libpcap interface and tcpdump is there a way to capture packets down to the nanosecond?.
Note 1:
If there are problems opening the snf0 device, verify that ldd is showing /opt/snf/libpcap and /opt/snf/libsnf. Eg:
%ldd ./tcpdump libpcap.so.0.9.4 => /opt/snf/lib/libpcap.so.0.9.4 (0x00002b058049a000) libc.so.6 => /lib64/libc.so.6 (0x00000034c1000000) libsnf.so.0 => /opt/snf/lib/libsnf.so.0 (0x00002b05806de000) /lib64/ld-linux-x86-64.so.2 (0x00000034c0c00000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00000034c1c00000) librt.so.1 => /lib64/librt.so.1 (0x00000034c2400000)
Note 2:
Using the SNF interface for sniffing causes all traffic to be diverted from the normal ethernet interface to the sniffing application. This will cause hosts to fail to respond on their 10G interfaces when packet sniffing is in progress.
Note 3:
Using snf0 versus eth0 when referencing the same MAC address with tcpdump. This issue is libpcap related. If you link to our distributed pcap, eth0 and snf0 will go through Sniffer10G. If you build your own and include Sniffer10G support, eth0 will go through the kernel and snf0 will go through Sniffer10G. Generally we recommend the use of snfX simply because that always works with whatever pcap or when it does not, it indicates that you are not using the correct one. Refer to the Sniffer10G User Guide documentation for verifying with the parameter SNF_DEBUG_MASK=3 flag that everything looks fine when opening the device.
-